Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02ZjU4LWozMjMtNjQ3Ms4AA21F

pimcore/admin-ui-classic-bundle Unverified Password Change

Impact

As old password can be set as new password , it is considered as password policy violation.

Pimcore is not enforcing strict password policy which allow attacker to set old password as new password

Proof of Concept

Go to Admin link
login and click on -> "User | My Profile".
Go to change password now put old password as new password and click save.

Permalink: https://github.com/advisories/GHSA-6f58-j323-6472
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02ZjU4LWozMjMtNjQ3Ms4AA21F
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago

CVSS Score: 4.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Percentage: 0.00085
EPSS Percentile: 0.38499

Identifiers: GHSA-6f58-j323-6472, CVE-2023-5844
References:

Repository: https://github.com/pimcore/admin-ui-classic-bundle
Blast Radius: 3.6

Affected Packages

packagist:pimcore/admin-ui-classic-bundle

Dependent packages: 28
Dependent repositories: 7
Downloads: 584,043 total
Affected Version Ranges: < 1.2.0
Fixed in: 1.2.0
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4
All unaffected versions: 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.7.0, 1.7.1, 1.7.2, 1.7.3

Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS02ZjU4LWozMjMtNjQ3Ms4AA21F

Impact

Patches

Workarounds

References

Affected Packages

packagist:pimcore/admin-ui-classic-bundle